| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
In preparation for making struct be_req opaque.
|
|
In preparation for making be_req opaque
|
|
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
|
|
The sysdb context is already available through the 'domain' context.
|
|
The sysdb context is already available through the 'domain' structure.
|
|
|
|
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|
|
|
|
Bring it out of sysdb, which will slowly remove internal dependencies on
domains and instead will always require them to be passed by callers.
|
|
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
|
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
To make configuration easier the IPA subdomain provider should be always
loaded if the IPA ID provider is configured and the subdomain provider
is not explicitly disabled. But to avoid the overhead of regular
subdomain requests in setups where no subdomains are used the IPA
subdomain provider should behave differently if configured explicit or
implicit.
If the IPA subdomain provider is configured explicitly, i.e.
'subdomains_provider = ipa' can be found in the domain section of
sssd.conf subdomain request are always send to the server if needed.
If it is configured implicitly and a request to the server fails
with an indication that the server currently does not support subdomains
at all, e.g. is not configured to handle trust relationships, a new
request will be only send to the server after a long timeout or after
a going-online event.
To be able to make this distinction this patch save the configuration
status to the subdomain context.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
|
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
Fixes https://fedorahosted.org/sssd/ticket/1517
|
|
https://fedorahosted.org/sssd/ticket/1458
When the responder is disabled and sudo_provider is set explicitly,
a warning is print and the module will be initialized.
|
|
|
|
|
|
The DP was sending the reply in a format the responder did not expect,
so the responder always failed to parse the message.
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
I am all for readable names, but there is a tradeof between expressing purpose
and compactness.
|
|
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
In case of error the request wasn't freed and the callback just ended.
|
|
|
|
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
The subdomains back end request was sending replies in a format the
responder did not understand in case the request failed.
|
|
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176
|
|
The function was used outside services code which was confusing due to
its name. This patch renames it to sound more netrual.
|
|
configured
The done handler uses the value of status, not ret.
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1270
|
|
This function alters the memory hierarchy of the be_req
to ensure memory safety during shutdown. It creates a
spy on the be_cli object so that it will free the be_req
if the client is freed.
It is generally allocated atop the private data context
for the appropriate back-end against which it is being
filed.
https://fedorahosted.org/sssd/ticket/1226
|
|
|
|
We now have a session module that is only available for the IPA
provider. We should not be logging noisily that other providers
do not have the session provider configured.
https://fedorahosted.org/sssd/ticket/1211
|
|
|
|
If the dbus_message_get_args() failed, we would have been
dereferencing a NULL be_req.
Coverity #12490
|
|
Coverity #12529
|
|
|
|
|
